A crystal-clear denouement of U.S readiness to combat threats in cyberspace came at a hearing held March 10 by the U.S. House Committee on Homeland Security. After about an hour of listening to testimony from five witnesses representing government and the private sector, committee chairman Rep. Bennie Thompson (D-Miss.) asked if any of them felt that the federal government was prepared to deal with a cybercatastrophe. Not one did.
More than seven years after the terrorist attacks of Sept. 11, 2001, there’s widespread consensus that federal efforts to secure cyberinfrastructure are bogged down by a lack of vision, planning and leadership.
While the government has struggled to come up with a cohesive national strategy for defending its interests on the Internet, threats in cyberspace have continued to grow and today pose a grave risk to national and economic security.
SF cyber attack a wake up call for Canadian IT managers
Adversaries, which include unfriendly governments and militaries, intelligence agencies, organized criminals groups and hactivists, have by most accounts already penetrated U.S government and private networksor are actively engaged in doing so. The attacks have grown in sophistication and effectiveness in recent years.
Most of the efforts appear to be focused on leeching away secrets from public and private IT sectors for profit and for espionage. A report released in March by the University of Toronto and think tank The SecDev Group showed how a group with apparent ties to China has systematically breached systems in more than 100 countries, apparently for espionage purposes. At the same time, the potential for attackers to disrupt vital networks and systems in critical infrastructure areas such as banking and power is growing daily.
The threat that has not going unnoticed. Earlier this month, Sens. Olympia Snowe (R-Maine) and Jay Rockefeller (D-W.Va.) introduced new legislation that would give the federal government sweeping new authority on the cybersecurity front.
Federal efforts to secure cyberinfrastructure are bogged down by a lack of vision, planning and leadership.
The legislation would give the government a more direct role in developing and enforcing baseline standards, not just for agencies but also on companies in critical infrastructure areas such as financial services, utilities and health care. It would empower the president to declare a cyberemergency if needed and allow him to disconnect federal or private-sector networks in the interests of national security.
The current administration has made cybersecurity a priority. In February, President Barack Obama ordered Melissa Hathaway, a Bush administration official who is credited with helping to develop a multibillion-dollar classified initiative aimed at better securing federal systems, to conduct a 60-day review of the government’s cybersecurity efforts.
What that report says and any strategies and policies that result from it are going to be critical in the near and long term. “Our digital infrastructure has become the most important underpinning of U.S. national and economic security,” says Amit Yoran, former director of the National Cybersecurity Division at the U.S. Department of Homeland Security (DHS). “In order to make good resource-allocation decisions, we need to understand the risk better,” Yoran says.
According to him and several others across industry and government, these are some of the key things the feds need to do in the near term.
Implement strong leadership
If the national information security agenda seems like a ship adrift on the high seas, that’s because there’s no one at the helm, say security executives and analysts alike. Or at least no one who has been truly capable of enforcing the order needed to steer a steady course.
On paper at least, the DHS is responsible for overseeing information security across the federal government. But for most of its existence, the agency’s leadership on information security issues has been conspicuous by its absence. Even where it has tried, its efforts have been less than successful.
A National Cyber Security Center (NCSC) that was set up within the DHS in January 2008 with the specific task of coordinating information security across the federal government has so far failed to get off the ground. In March, its first director, Rod Beckstrom quit the post after just a year on the job, citing a lack of support from within the DHS and turf wars with the National Security Agency (NSA).
At the time he quit, the NCSC had almost no funding for the effort, just two employees and two “detailees” from the NSA. “If you are going to run a major coordination effort, you got to have the resources to build that capability,” he says, adding that “the financial constraints which have been placed upon the NCSC are simply ridiculous and leave the nation vulnerable to attack.”
The NSA, which is in charge of the Comprehensive National Cybersecurity Initiative (CNCI), has been jostling for broader control of the federal information security agenda. But while almost everyone acknowledges that the NSA can bring the skills, the experience and the clout needed for the job, the prospect of a spy agency running the domestic cyberagenda is not sitting well with most.
Rather, the role of setting, overseeing and coordinating a national information security agenda needs to rest directly with the White House, according to the Center for Strategic and International Studies (CSIS) and others. The DHS and other federal agencies would then work with a new specially created White House Office of Cyberspace to roll out and manage security policy.
Unlike the DHS, “the White House has the authority to make agencies act,'” says Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office (GAO). Establishing White House responsibility will ensure that agencies and other stakeholders cooperate in marshaling the resources needed to implement a national cyberstrategy, he says.
Create a national strategy for defending cyberspace
Over the past few years, billions of dollars have been poured into cybersecurity across the federal government. The investments have yielded numerous scatter-shot efforts such as a smart card identity credential rollout across federal agencies, a governmentwide move to more-secure Internet protocols and the highly classified CNCI to boost the ability of government to detect and respond to threats and security vulnerabilities in near real-time.
The initiatives are expected to yield significant benefits down the road, but none of them is tied to any broader strategic goals or missions. One of the biggest current needs is for a comprehensive national security strategy that sets the agenda for how, where, when and why security investments such as these need to be made and who will be responsible for enforcing them. The strategy will need to spell out baseline standards for entities in critical infrastructure areas.
The CSIS, a Washington-based bipartisan think tank that in December submitted a set of security recommendations to President Obama, argues that such a strategy would require the government to declare its cyberinfrastructure a vital asset for national and economic security. It would then need to indicate its willingness to use all of the tools at its disposal — diplomatic, economic, military and intelligence — to protect that asset.
Build a cyber-response capability
In 1963, soon after the Cuban missile crisis, President John F. Kennedy established a National Communications System (NCS) responsible for ensuring the reliability and availability of communications capabilities during emergencies. Its task was to work with federal agencies and private industry to provide national security and emergency preparedness capabilities for the telecommunications sector. During the 9/11 crisis, the NCS played a crucial role in coordinating the resources needed to ensure that vital communication services remained uninterrupted.
When it comes to cybersecurity, there is no equivalent capability, says James Lewis, director of the technology and public policy program at the CSIS. “If there’s a fire on the Internet, who’s the fire department?” he asks. In the event of an Internet crisis, there is no single entity that either the federal government or private industry can depend on to coordinate a response. “There’s no one you can simply pick up the phone and speak with,” Lewis says.
Implementing such a capability is not going to be easy, says Paul Kurtz, former special assistant to the president and senior director for critical infrastructure protection on the White House’s Homeland Security Council. Attacks against key Internet protocols and routing technologies could cause considerable and lengthy disruption. Coordinating a response could involve numerous stakeholders including carriers, Internet service providers, technology vendors and bodies like ICANN (the Internet Corporation for Assigned Names and Numbers), says Kurtz, who is currently a partner at Good Harbor Consulting LLC.
If there’s a fire on the Internet, who’s the fire department?
“In the old days, we had trucks with SS7 network switches on them that could be rolled in place quickly to reconnect copper networks that went down,” Kurtz says. “In an IP-based world, we have not even begun to scratch the surface of how we would restore networks” in the event of a cataclysmic disruption.
Secure targets in critical infrastructure areas
The “digital Pearl Harbor” in which large swathes of the Internet would be taken down by adversaries to create widespread disruption is a possibility that needs to be prepared for, security analysts say. But far more likely and worrying are more focused attacks against critical infrastructure targets such as power, financial services and water services.
The cascading blackout in the Northeast in 2003 remains a potent example of the havoc a computer failure can cause — even if, as in that case, the incident was caused by negligence rather than malice.
Another reminder is an experiment conducted in March 2007 in which the Idaho National Laboratory showed how it could reduce a power turbine to a smoking, shuddering, metal-spewing mess simply by executing malicious code on the computer controlling the system.
These examples are only the tip of the iceberg. According to the GAO’s Wilshusen, the trend over the past few years to connect the systems that are used to control critical equipment to the Internet in power generation and distribution, water treatment, biotech, pharmaceuticals and transportation is making them more vulnerable to threats.
This was demonstrated in 2000 when a disgruntled employee at an Australian water-treatment plant released about 264,000 gallons of raw sewage into nearby rivers and parks by breaking into the control systems using a radio transmitter, he says.
Similarly, in August 2003, a computer virus called Sobig managed to infiltrate a control system at CSX Corp.’s headquarters in Florida and shut down train signaling systems throughout the East Coast for hours, he says.
The cascading blackout in the Northeast in 2003 remains a potent example of the havoc a computer failure can cause.
And in October 2006, a foreign hacker broke into a system at a water-filtration plant in Harrisburg, Pa., after an employee’s laptop computer was compromised via the Internet and then used as an entry point to install malware on the plant’s computer system.
Although almost all critical infrastructure systems are owned by the private sector, making sure they are adequately protected should be a top priority for government, says Wilshusen. Not only should baseline security standards be established for critical infrastructure industries, he says, but there should also be regulations for enforcing them and a formal strategy for sharing information and information-security practices between the private and public sectors.
Use federal procurement power to force better security from vendors
As the de facto CIO of the federal government under the Bush administration, Karen Evans knows a lot about how to use the government’s enormous buying power to force technology vendors to improve security. “When you spend $71 billion in the marketplace, you should be very clear about what your requirements are” and expect vendors to abide by them, she says.
One place where the government has successfully done this is in the Federal Desktop Core Configuration (FDCC) initiative, in which it is working with Microsoft Corp. and other technology vendors to ensure that all Windows XP and Vista desktops delivered to government have standard baseline security configurations. There’s no reason why a similar model can’t be implemented to get vendors to do things such as turning off default configurations and disabling functions that pose a security risk before products are delivered to agencies. Implementing security language in federal acquisition rules is much easier than forcing regulations down vendor throats, Evans says.
Requiring vendors to bake in security and centralizing procurement across government can also bring costs down significantly, says Alan Paller, director of research at the SANS Institute, a training and certification organization in Bethesda, Md. “Right now, there’s enormous inefficiency” when it comes to security purchases, he says.
Develop an offensive capability
Patti Titus, the previous chief information security officer at the Transportation Security Administration, is among a growing number of executives arguing for the development of deterrent capabilities in cyberspace. “What we need to say is, ‘We are the U.S., and if you mess with us, you’d better be careful,'” says Titus, who is currently chief information security officer at Unisys Corp.
For too long, the country has been focusing on building a defensive capability that has done little to stop adversaries from infiltrating government networks, supply chain and distribution systems, she says. “It’s time to come up with some way of launching back at those that mean to do harm,” Titus suggests.
But figuring out the nuances of such a strategy can be tricky, and care needs to be taken, says Kurtz. “There is some real work that needs to be done” on a global basis to think through issues, he says. “What is an act of war in cyberspace? We need to have a far more substantial dialog here in the United States and abroad about what this means,” he says, especially because the means to do harm in cyberspace are not restricted just to governments and militaries.
Unlike nation-states that “display fighter planes and battleships as an overt show of force, countries don’t brag about their offensive cybercapabilities,” says Steven Chabinsky, senior cyberadvisor to the director of national intelligence. “They guard them in a very secretive manner,” and there’s no telling if they intend to use that capability, says Chabinsky. “In cyber, capabilities tend to get better over time, and intentions can change quickly,” he cautions. And there always is the possibility that a nation that wants to do damage can simply hijack or use exploitation capabilities built by others.
“Determining who the attackers are, who the enemies are, is one of the biggest problems we have as a government and in the private sector,” says Shawn Carpenter, a former network security analyst at Sandia National Laboratories.
What we need to say is, ‘We are the U.S., and if you mess with us, you’d better be careful.’
Carpenter was fired in January 2005 for his independent probe of a network security breach at the agency, which he traced back to a Chinese espionage group called Titan Rain, by doing some reverse-hacking of his own. But make no mistake, he says, the enemy is already here, lurking in sensitive systems and networks, in control of large botnets, inside financial systems and the power grid, and it needs to be stopped.
“My definition of a digital Pearl Harbor is where these people are already here. They already have access and are just sort of hanging out maintaining their access for the time when they get some instruction to bring down the system or corrupt information,” he says.
Don Tennant contributed to this report.